Russian security firm finds first fake OS X installer malware

Doctor Web, a Russian security firm, has found a Trojan that mimics the OS X installer on Apple computers in order to obtain phone numbers. The threat is called Trojan.SMSSend.3666 and according to Doctor Web, it is the first such malware to maliciously imitate the installer. Similar threats used to only appear on Windows machines. The Trojan usually gets downloaded through what appears to be legitimate software.

When the user attempts to open the compromised program, the malware launches a fake installer on OS X machines and introduces a prompt asking the user to enter a phone number to activate the software. The malicious program then sends a code by SMS that the user enters to supposedly finish the activation process. That process charges a subscription fee to the user, regularly debited to the person’s mobile phone. Some of the installers do complete the download of the software it’s pretending to be, but the focus of the attack is the phone number.

Targeting victims by mobile number hasn’t been successful in the past, but the spread of this style of malware into Macs shows that cybercriminals have found ways of making it lucrative. More and more services – such as social networks like Facebook and Twitter – are connected to phones these days. According to The Next Web, the appearance of the installer malware on OS X before iOS shows how much tougher it is to get malware on Apple’s mobile devices. It seems that the extra scrutiny the company levels against programs in the Apple App Store does pay off.